Hi All,
I want to change/add drive for monitoring on window agent -ossec.conf.
For example - by default we have below directory for monitoring
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
<directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>
If i want to monitor my drive D: and E:abc/xyz specified directory
how can i do that?
Please help me on this.
I am aware that we can add <directories check_all="yes">F:\foo/bar</
directories>
Please help me if my syntax is wrong
and when i restart the ossec agent, i see logs it states
2012/02/22 03:15:57 ossec-agent: INFO: Monitoring directory: 'F:\foo/
bar'.
But the fact is it does not monitor the directory.
for example if you create a file test.txt inside F:\foo/bar directory
and restart the agent we do not get an event.
and if we add <directories check_all="yes">tera maa ka boka</
directories>
thou we get
2012/02/22 03:15:57 ossec-agent: INFO: Monitoring directory: 'tera maa
ka boka'.
Please help
